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(54) Access-right setting system and storage medium 



(57) An access-right setting system for setting right 
to access resources on a computer, comprises an ac- 
cess-right setting pattern storage section (24) for storing 
one or more types of access-right setting patterns in 



which at least an object to obtain permission to access 
the resources is written, and a selecting section (21) for 
selecting any one of the access-right setting patterns to 
set the right to access. 
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Description 

[0001] This invention relates to an access-right set- 
ting system and a storage medium, and more particu- 
larly to an access-right setting system and a storage me- 
dium which are suitable for setting access-rights to re- 
sources on the computers distributed over departments 
or sites. 

[0002] In recent years, computers have been con- 
nected to each other to form a network, making it easy 
for one computer to access another or enabling more 
than one person to use a single computer. Accordingly, 
it is getting more important to manage access to re- 
sources (including files on a file system, WWW contents 
on a WWW server, and various devices) in computers. 
[0003] To set access-rights to resources on such com- 
puters, it is necessary to set authority to each of the serv- 
ers or OS (operating system) that manage the resourc- 
es. The setting is generally done by logging in a com- 
puter to which authority is to be set and doing setting 
work. 

[0004] Specifically, access-right information (herein- 
after, also referred to as ACL (access control list)) is set 
to each server as follows: for example, "permit user 1 to 
read and write and user 2, user 3, and user 4 to only 
read." 

[0005] Many pieces of the set access-right informa- 
tion fit the following fixed pattern: for example, "permit 
the system manager to read and write but ordinary users 
to only read." 

[0006] An actual user corresponding to "system man- 
ager" or "ordinary user" differs from department to de- 
partment or from site to site. For example, it follows that 
in department A , "system manager = user a, ordinary 
user = user b, user c, user d" and that in department B, 
"system manager = user a, ordinary user = user p, user 
Y 

[0007] I n a conventional access-right setting method, 
since members differ from department to department, 
access-rights have to be set, one by one, to resources 
to which access-rights are to be set. 
[0008] In the above example, the access-right that 
"permit user a to read and write and user b, user c, user 
d to only read" is set to the resources on the computers 
department A has. in addition, the access-right that 
"permit user a to read and write and user p, user y to 
only read" is set to the resources on the computers de- 
partment B has. 

[0009] As described above, although the pattern of 
the access-right information to be set is the same, au- 
thority actually has to be set according to a different 
piece of access-right information. This makes it difficult 
to ease the burden on the access-right setter. 
[0010] In a distributed system where computers dis- 
tributed over departments or sites cooperate with one 
another to carry out processes, the job of setting access- 
rights to the resources on each computer for access 
control imposes a severe burden on the access-right 



setter. It is because the access-right setter has to log in 
the individual computers one by one each time he or she 
does the setting and then set separate access-rights on 
the logged-in computer. 

s [001 1] An object of the present invention is to provide 
an access-right setting system and a computer- reada- 
ble medium which enable access-rights to be set to re- 
sources efficiently, irrespective of departments or sites, 
and further ease the burden of setting and avoid errors 

10 in the setting. 

[0012] Another object of the present invention is to 
provide an access-right setting system and a computer- 
readable medium which enable access-rights to be set 
without logging in a computer to which access-rights are 

*5 to be set, each time setting is done, and further ease the 
burden of setting and avoid errors in the setting. 
[001 3] According to a first aspect of the present inven- 
tion, there is provided an access-right setting system for 
setting right to access resources on a computer, com- 

20 prising: an access-right setting pattern storage section 
for storing one or more types of access-right setting pat- 
terns in which at least an object to obtain permission to 
access the resources is written; and a selecting section 
for selecting any one of the access-right setting patterns 

2S to set the right to access. 

[0014] Use of the access-right setting patterns ena- 
bles access-rights to be set resources efficiently, re- 
gardless of departments and sites. Since the patterns 
have been prepared beforehand, the setter need not fill 

30 in the access control list one by one, facilitating the set- 
ting of access-rights more, which eases the burden on 
the setter. 

[001 5] It is preferable that the access-right setting pat- 
tern storage section should store access-right setting 

55 patterns in which the object to obtain the permission is 
written in abstract user name. In addition, it is desirable 
that the access-right setting pattern storage section 
should store not only the object but also access-right 
setting patterns in which the contents of the right to ac- 

40 cess are written. Furthermore, the access-right setting 
system preferably further comprises an access control 
list creating section which creates an access control list 
used to set the right to access by adapting a user-group 
name corresponding to an actual user name correlated 

45 with an abstract user name to the abstract user name 
in the access-right setting pattern selected by the se- 
lecting section. 

[0016] Therefore, when post names in a department 
are caused to correspond to, for example, abstract user 

50 names in the access control list, this facilitates the set- 
ting of access-rights much more. The larger the number 
of resources to which access-rights are set, the more 
the burden on the setter is reduced. Moreover, since us- 
er-group names are adapted in creating an access con- 

55 trol list, the contents of the access-right setting can be 
changed without recreating an access control list, even 
when members in the group have been changed as a 
result of personal changes. 



2 



3 



EP 0 992 873 A2 



4 



[0017] According to a second aspect of the present 
invention, there is provided a computer program stored 
on a computer-readable medium used to control an ac- 
cess-right setting system for setting right to access re- 
sources on a computer, the computer program compris- 
ing: a code of access-right setting pattern managing 
means for causing a storage unit to store one or more 
types of access-right setting patterns in which at least 
an object to obtain permission to access the resources 
is written; and a code of selecting means for causing the 
access-right setting pattern managing means to select 
any one of the access-right setting patterns to set the 
right to access. 

[0018] This summary of the invention does not nec- 
essarily describe all necessary features so that the in- 
vention may also be a sub-combination of these de- 
scribed features. 

[0019] The invention can be more fully under stood 
from the following detailed description when taken in 
conjunction with the accompanying drawings, in which: 

FIG. 1 is a block diagram showing the configuration 
of a computer system to which an access-right set- 
ting system according to a first embodiment of the 
present invention is applied; 
FIG. 2 is a block diagram showing the functional 
configuration of the access-right setting system in 
the first embodiment; 

FIG. 3 shows an example of an access-right setting 
pattern group; 

FIG. 4 shows an example of user information on a 
department (department A); 
FIG. 5 shows an example of user information on an- 
other department (department B); 
FIGS. 6A, 6B, and 6C show examples of ACL cre- 
ated by the ACL converting section; 
FIG. 7 is a flowchart for the operation of the access- 
right setting system in the first embodiment; 
FIG. 8 is a block diagram showing the functional 
configuration of an access-right setting system ac- 
cording to a second embodiment of the present in- 
vention; 

FIG. 9 is a flowchart for the operation of the access- 
right setting system in the second embodiment; 
FIG. 10 is a block diagram showing the functional 
configuration of an access-right setting system ac- 
cording to a third embodiment of the present inven- 
tion; 

FIG. 11 is a block diagram showing the functional 
configuration of an access-right setting system ac- 
cording to a fourth embodiment of the present in- 
vention; 

FIG. 12 shows examples of a ACL file created by 
the ACL converting section in the fourth embodi- 
ment; 

FIG. 13 is a block diagram showing the functional 
configuration of an access-right setting system ac- 
cording to a fifth embodiment of the present inven- 



tion; 

FIG. 14 is a block diagram showing the configura- 
tion of an access-right setting pattern editing func- 
tion applied to an access-right setting system ac- 
5 cording to a sixth embodiment of the present inven- 
tion; 

FIG. 1 5 is a block diagram showing an example of 
a network system to which an access-right setting 
system according to a seventh embodiment of the 
70 present invention is applied; 

FIG. 16 shows an example of an access-right set- 
ting pattern group in the seventh embodiment; 
FIG. 17 shows an example of user information on a 
sports department; and 
f5 FIG. 18 shows an example of user information of a 
movie department. 

[0020] Hereinafter, referring to the accompanying 
drawings, embodiments of the present invention will be 
20 explained. 

(First Embodiment) 

[0021] FIG. 1 is a block diagram showing the cpnfig- 
25 uration of a computer system to which an access-right 
setting system according to a first embodiment of the 
present invention is applied. 

[0022] The computer system is composed of LANs in 
a setting and managing department 2, an A department 
30 3, a B department 4, a C department 5, - connected to 
each other via a network 1. 

[0023] The LAN of the setting and managing depart- 
ment 2 is connected via a router 6 to the network 1 and 
has a setting management server 8 and a directory serv- 
35 er 9 connected to its data transmission line 7. The set- 
ting and managing department 2 is a department for set- 
ting and managing access-rights. 
[0024] Of the departments 3, 4, 5, for example, the 
LAN of the A department 3 is connected via a router 10 
40 to the network 1 and has computers 1 2 connected to its 
data transmission line 11. Each of the computers 12 
connected to the LAN is provided with a WWW server 
13, a contents information transmitting section 14, and 
an ACL setting section 15. In the first embodiment, the 
45 resources on each computer 12 in each of the depart- 
ments 3, 4, 5, »• are objects to which access-rights are 
to be set. 

[0025] FIG. 2 is a block diagram showing the function- 
al configuration of the access-right setting system in the 
50 first embodiment. 

[0026] The access-right setting system mainly com- 
prises an access-right setting section 21, an ACL con- 
verting section 22, an access-right setting pattern man- 
aging section 23, a set 24 including access-right setting 
55 patterns stored in a memory unit (not shown), a user 
information managing section 25, and user information 
26 stored in a memory unit (not shown) which are pro- 
vided in the setting and managing department 2, and a 
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contents information transmitting section 1 4 and an ACL 
setting section 15 which are provided on the commuter 
12 in each department. 

[0027] In the above configuration of the setting and 
managing department 2, the setting management serv- 
er 8 includes the access-right setting section 21, ACL 
converting section 22, access-right setting pattern man- 
aging section 23, and set 24 of access-right setting pat- 
terns. The directory server 9 includes the user informa- 
tion managing section 25 and user information 26. As 
long as each of these sections are placed in the setting 
and managing section 2, they may be provided on the 
same computer or distributed over many computers. 
[0028] The access-right setting section 21 accepts 
the input by the access-right setter from an input device 
27 and enables the setting and managing department 2 
to set access-rights to the WWW server 1 3 on the com- 
puter 1 2 in each department 3. 
[0029] To do this, the access-right setting section 21 
receives content information from the contents informa- 
tion transmitting section 14 on the computer 12 and ac- 
quires an access-right setting pattern from the set 24 of 
access-right setting patterns via the access-right setting 
pattern managing section 23. Then, the access-right 
setting section 21 gives the acquired setting pattern and 
right setting target information to the ACL converting 
section 22 and asks the ACL converting section 22 to 
create ACL. 

[0030] The access-right setting pattern managing 
section 23 manages the set 24 of access-right setting 
patterns and registers, retrieves, or deletes an access- 
right setting pattern according to the request of the ac- 
cess-right setting section 21 . 

[0031] The set 24 of includes access-right setting pat- 
terns, as shown in FIG. 3. 

[0032] FIG. 3 is a table showing an example of an ac- 
cess-right setting pattern group. 
[0033] FIG. 3 shows two setting patterns. Pattern #1 
is the pattern of "giving read right to the general man- 
ager and section chief and both of read right and exe- 
cute right to the system manager." Pattern #2 is the pat- 
tern of "giving both read right and execute right to the 
general manager and section chief and only read right 
to ordinary members. 0 

[0034] Here, "GENERAL MANAGER," "SECTION 
CHIEF," "SYSTEM MANAGER," and "ORDINARY 
MEMBERS" are abstract user names, not users to 
which access-rights are actually set. Converting ab- 
stract user names into actual user names is done on the 
basis of the user information 26. 
[0035] The user information managing section 25 
manages the user information 26 and registers, re- 
trieves, or deletes the information. In the first embodi- 
ment, the function of the user information managing sec- 
tion 25 is realized by a directory server function comply- 
ing with LDAP (Lightweight Directory Access Protocol). 
It may be realized by another method, as long as the 
method assures a similar function. The directory server 



is a computer for providing centralized management of 
personal in a company or a laboratory, using LDAP. In 
the directory server, the latest information on the depart- 
ments and on the individuals are constantly updated by 
5 another input/output means (not shown). 

[0036] The user information 26 is such information as 
corresponds to a table correlating user names (user IDs) 
with abstract user names (such as posts) and is man- 
aged by the directory server 

[0037] FIG. 4 shows an example of user information 
in a certain department (department A). 
[0038] FIG. 5 shows an example of user information 
in a certain department (department B). 
[0039] Next, receiving an ACL creating instruction 
from the access-right setting section 21, the ACL con- 
verting section 22 asks the user information managing 
section 25 to take out a piece of user information corre- 
sponding to the department name acquired from the ac- 
cess-right setting section 21. Then, the ACL converting 
section 22 adapts the user information to the setting pat- 
tern acquired from the access-right setting section 21 
and creates access-right information (access control 
list: ACL) to be actually set in WWW content 28. 
[0040] FIGS. 6A, 6B, and 6C show examples of ACL 
created by the ACL converting section. 
[0041] FIG. 6A shows a concrete example of the con- 
tents of an ACL file. Here, "path" indicates path informa- 
tion on a computer to which access-rights are to be set 
and "allow" represents the contents of permission, such 
as read permission, write permission, or execute per- 
mission. Additionally, "user" indicates a concrete user 
name to become an object of a certain "allow." 
[0042] FIGS. 6B and 6C show examples of the user 
information of FIGS. 4 and 5 adapted by the ACL con- 
verting section 22 to pattern #1 of the set 24 of access- 
right setting patterns of FIG. 3. The contents shown in 
FIG. 6B or 6C are converted into the information as 
shown in FIG. 6A, thereby forming an ACL file. 
[0043] For example, in FIG. 6B, it is assumed that set- 
ting pattern #1 is set in WWW content 28a on the WWW 
server 13a in the A department 3. Specifically, 

for the following access-rights, 

general manager = read right 
section chief = read right 
system manager = read right, execute right, 

the ACL converting section 22 effects the following 
conversion: "general manager -> Suzuki," "section 
chief -» Sato, " and "system manager Takahashi, 
Tanaka," creates an ACL file with the contents 
shown in FIG. 6B, and transmits the file to the A 
department. The ACL is set in the WWW content 
28a by the ACL setting section 15 on the computer 
12, which will be explained later. 

[0044] Similarly, when setting pattern #1 is set in 
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WWW content 28b on the WWW server 13b in the B 
department 4, an ACL file with the contents shown in 
FIG. 6C is created and transmitted to the B department 
4. 

[0045] The component elements provided in each 
computer 12 to which the ACL file is transmitted will be 
explained. 

[0046] The WWW server 1 3 (including 1 3a and 1 3b), 
which is provided in each computer 12, is server soft- 
ware for the World Wide Web. More than one WWW 
server 13 may be provided on a single computer 12. 
Each WWW server 1 3 has one or more WWW content 
28 (including 28a and 28b) as resources. While in the 
first embodiment, objects to which access-rights are set 
have been WWW contents on the WWW servers, the 
objects may be other contents, as long as they are re- 
sources (for example, contents on a certain OS) with 
access-right setting means. 

[0047] The contents information transmitting section 
1 4 transmits file names, presently set access-rights, and 
others as content information on the content 28 on the 
WWW sever 1 3 specified by the access-right setting 
section 21. 

[0048] The ACL setting section 15 sets the access- 
right information (ACL 29) received from the ACL con- 
verting section 22 in the WWW contents to which ac- 
cess-rights are to be set. 

[0049] Next, the operation of the access-right setting 
system in the first embodiment constructed as de- 
scribed above will be explained by reference to FIGS. 2 
and 7. 

[0050] FIG. 7 is a flowchart for the operation of the 
access-right setting system in the first embodiment. 
[0051] As shown in FIG. 7, in the setting and manag- 
ing department 2, the setter enters the necessary data 
into the access-right setting section 21 to choose to 
which WWW server 1 3 access-right should be set (s1 ). 
It is assumed that the WWW server 1 3a in the A depart- 
ment 3 has been chosen. 

[0052] Next, the access-right setting section 21 in- 
structs the contents information transmitting section 14 
in the A department 3 to transmit content information on 
the chosen WWW server 1 3a (s2). 
[0053] Receiving the instruction, the contents infor- 
mation transmitting section 14 acquires the content in- 
formation on the WWW server 13a and transmits the 
information to the access-right setting section 21 (s3). 
[0054] Receiving the content information, the access- 
right setting section 21 instructs the access-right setting 
pattern managing section 23 to transmit an access-right 
setting pattern list (s4). 

[0055] The access-right setting pattern managing 
section 23 reads the set 24 of access-right setting pat- 
terns and transmits it to the access-right setting section 
21 (s5). 

[0056] The access-right setting pattern list is dis- 
played on a display device (not shown). While checking 
the display, the setter chooses the content 28a to which 



an access-right is to be set and the access-right setting 
pattern to be set to the contents and enters the chosen 
pieces of information to the access-right setting section 
21 (s6). 

5 [0057] The access-right setting section 21 transmits 
the pieces information chosen at step s6 to the ACL con- 
verting section 22 (s7). Information on the chosen con- 
tents includes information on which department the set- 
ting target exists. 

w [0058] Because the WWW server 13a to which ac- 
cess-rights are to be set exists in the A department 3, 
the ACL converting section 22 instructs the user infor- 
mation managing section 25 to transmit user information 
on the A department 3 (s8). 

is [0059] Receiving the instruction, the user information 
managing section 25 retrieves user information on the 
A department 3 from the user information 26 and trans- 
mits the retrieved information to the ACL converting sec- 
tion 22 (s9). 

20 [0060] Next, the ACL converting section 22 applies 
the received user information to the abstract user name 
in the access-right setting pattern, thereby creating an 
actual ACL (see FIG. 6A) to be set in the WWW contents 
13a (s10). As described above, creating the ACL is ef- 
25 fected by substituting the user information into the ac- 
cess-right setting'pattern. The created ACL includes in- 
formation (e.g., pattern number) to decide which ac- 
cess-right setting pattern has been chosen, in the form 
of comments on ACL or the like. 
30 [0061] The ACL created at step s10 follows the format 
that can be used at the WWW server 13a to which ac- 
cess-rights are to be set. Although the ACL format dif- 
fers from one WWW server product to another, the ACL 
converting section 22 holds each piece of format infor- 
ms mation and creates ACL according to each WWW serv- 
er 13. 

[0062] Next, the ACL converting section 22 transmits 
the created ACL 29 via the network 1 to the ACL setting 
section 15 in the computer 12 in the A department 3 

40 (S11). 

[0063] The ACL setting section 15 sets the ACL 29 
transmitted to the computer 1 2 in the content 28a of the 
target WWW server 13a (s12). 
[0064] As described above, the ACL has been set in 

45 the content 28. After the ACL has been set, accessing 
the content 28 (for example, content 28a) is effected as 
follows. Here, it is assumed that attribute information (in- 
cluding user names and passwords) on the individual 
users has been registered in the directory server 9. 

so [0065] When a user attempts to access the content 
28a in the WWW server 1 3a, the WWW server 1 3a re- 
quests the user to enter the user name and password. 
When receiving the user name and password, the 
WWW server 1 3a asks the directory server 9 about user 

55 information on the user and checks whether the set of 
the user name and password entered by the user coin- 
cides with what has been registered properly (this proc- 
ess is generally known as user authentication). When it 
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has been verified that the set has been registered prop- 
erly, the WWW server 1 3a then compares the user name 
with the name of the authorized person set in the ACL. 
If there is the authorized person's name coinciding with 
the user name, the WWW server 13a permits the user 
to access the content 28a according to the rights set in 
the ACL. 

[0066] The access-right setting system according to 
the first embodiment produces the following effects. 
[0067] First, because the ACL converting section 22 
creates an ACL automatically on the basis of the infor- 
mation from the access-right setting section 21 , the user 
can set an ACL by just choosing an access-right setting 
pattern, which alleviates the trouble of setting an ACL 
Especially because the setter need not write an ACL 
each time he or she sets the contents of access-rights, • 
this prevents inadequate setting due to errors in descrip- 
tion. 

[0068] Since each pattern in the set 24 of access-right 
setting patterns is written using abstract user names, the 
same access-right setting pattern can be used for de- 
partments or sites to which different users belong. As a 
result, the number of access-right patterns the entire 
system needs is decreased remarkably, reducing the 
management cost, which therefore reduces the access- 
right setting cost. 

[0069] Each process in the first embodiment is com- 
pleted with the setting of access-rights. This prevents 
an additional process from being performed in access- 
ing contents on the WWW server, leading to no deteri- 
oration of performance during execution (in operation: 
in accessing resources). 

[0070] Use of the mechanism for transferring from the 
ACL converting section 22 to the computer 12 in each 
department enables one place (e.g., the setting and 
managing department 2) to centrally set access-rights 
to contents on the WWW servers 1 3 distributed over the 
network 1 . This alleviates the access-right setter's trou- 
ble of logging in the computer 1 2 to which access-rights 
are to be set each time setting is done. To realize this 
process, there is no need to make modifications or ad- 
ditions to the access-right checking mechanism of the 
WWW servers during execution (in accessing contents). 
[0071] Since all the user information is managed by 
the directory server 9, even when modifications are 
made to the user information as a result of personnel 
changes, the change of the user information is reflected 
easily by just reconverting the ACL on the basis of in- 
formation (e.g. , pattern number) on the access-right set- . 
ting pattern added to the ACL. The access-right setting 
section 21 is designed to be able to choose reconver- 
sion. When reconversion is selected, the access-right 
setting section 21 instructs the contents information 
transmitting section 1 4 to include information on the pat- 
tern into the content information. Then, on the basis of 
information on the pattern, the access-right setting sec- 
tion 21 automatically acquires information to be given to 
the ACL converting section 22 and gives an instruction 



to create an ACL. 

(Second Embodiment) 

5 [0072] While in the first embodiment, the setting and 
managing department side has converted an ACL pat- 
tern into an ACL and then distributed the ACL to WWW 
servers, the WWW server side converts an ACL pattern 
into an ACL in a second embodiment of the present in- 
fo vention. 

[0073] FIG. 8 is a block diagram showing the function- 
al configuration of an access-right setting system ac- 
cording to a second embodiment of the present inven- 
tion. In FIG. 8, the same parts as those in FIG. 2 are 

is indicated by the same reference symbols and explana- 
tion of them will be omitted. Only the parts different from 
those in FIG. 2 will be explained. 
[0074] The access-right setting system has the same 
configuration as that of the first embodiment except that 

20 the user information managing section 25, pieces of us- 
er information 26a, 26b, ••• and the ACL converting sec- 
tion 22 are provided in each of the departments 3, 4, 
[0075] The pieces of user information 26a, 26b, — are 
pieces of information on the departments 3, 4, — , re- 

25 spectively. The pieces of user information and user in- 
formation managing section 25 are provided in each 
computer 12 in a department LAN or in the server com- 
puter (department managing computer 31 ) that manag- 
es information on the department and carries out vari- 

30 ous processes. In either case, the ACL converting sec- 
tion 22 is designed to be able to ask the user information 
managing section 25 to acquire the user information. 
[0076] The operation of the access-right setting sys- 
tem of the second embodiment constructed as de- 

35 scribed above will be explained by reference to FIGS. 8 
and 9. 

[0077] FIG. 9 is a flowchart for the operation of the 
access-right setting system of the second embodiment. 
[0078] Of the processes shown in FIG . 9, those at step 

40 ti to step t6 are the same as those at step s1 to step s6 
in FIG. 7 of the first embodiment, and therefore expla- 
nation of them will be omitted. In the second embodi- 
ment, a case where access-rights are set to content 28a 
in the WWW server 13a into the A department 3 will be 

45 explained. 

[0079] When the setter has entered the data to the 
access-right setting section 21 (t6). the access-right set- 
ting section 21 of the setting management server 8 
transmits information to specify the content 28a to which 

50 access-rights are to be set and information (ACL pattern 
32) on an access-right setting pattern to be set for the 
contents to the ACL converting section 15 on the com- 
puter 12 in the A department 3 via the network 15 (t7). 
[0080] Receiving the ACL pattern 32, the ACL con- 

55 verting section 22 instructs the user information manag- 
ing section 25 in the A department 3 to transmit the user 
information on the A department 3 (t8). 
[0081] Receiving the instruction, the user information 
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managing section 25 acquires the user information and 
further creates an ACL 29 on the basis of the user infor- 
mation and setting pattern in the same manner as at 
steps s8, s9, and s10 of FIG. 7 in the first embodiment 
(FIG. 9: t8, t9, andtIO). 5 
[0082] The ACL 29 created by the ACL converting 
section 22 in the A department is transmitted to the ACL 
setting section 15 in the A department 3 (t11). 
[0083] Receiving the ACL 29, the ACL setting section 
1 5 sets the ACL 29 in the content 28a on the WWW serv- 
er 13a as in the first embodiment (t12). 
[0084] The way of accessing the content 28 to which 
the ACL has been set as described above is the same 
as in the first embodiment. A concrete explanation of it 
will be omitted. 

[0085] The access-right setting system of the second 
embodiment produces not only a similar effect to that in 
the first embodiment but also the following effects. 
[0086] Since the data transmitted via the network 1 is 
only the ACL pattern 32 (setting pattern information and 
content specifying information), the amount of data 
transmitted is reduced as compared with the first em- 
bodiment. 

[0087] Furthermore, carrying out the conversion into 
the ACL 29 on each WWW server 13 side enables the 
burden of ACL converting work to be distributed, as 
compared with the first embodiment. 

(Third Embodiment) 

[0088] While in the second embodiment, the user in- 
formation managing section and user information have 
been provided in each department, the ACL converting 
section is provided in each department and the user in- 
formation managing section and user information are 
provided collectively in the setting and managing de- 
partment 2 in a third embodiment of the present inven- 
tion. 

[0089] FIG. 10 is a block diagram showing the func- 
tional configuration of an access-right setting system ac- 
cording to the third embodiment of the present invention. 
In FIG. 10, the same parts as those in FIGS. 2 and 8 are 
indicated by the same reference symbols and explana- 
tion of them will be omitted. Only the parts different from 
those in FIGS. 2 and 8 will be explained. 
[0090] The access-right setting system has the same 
configuration as that of the second embodiment except 
that the user information managing section 25 and user 
information 26 are provided in the directory server 9 in 
the setting and managing department 2 as in the first 
embodiment. 

[0091] The access-right setting system of the third 
embodiment constructed as described above operates 
similarly to the second embodiment except that the ACL 
converting section 22 asks the user information manag- 
ing section 25 in the setting and managing department 
2 about the user information in the relevant department 
via the network 1 . 



[0092] The way of accessing the content 28 to which 
an ACL has been set as described above is the same 
as in the first embodiment. A concrete explanation of it 
will be omitted. 

[0093] The access-right setting system of the third 
embodiment produces not only a similar effect to that of 
the second embodiment but also the following effect. 
Because the user information 26 is managed collective- 
ly in the setting and managing department 2, the cost of 
installing user information managing resources and the 
cost of managing the user information in each of the de- 
partment 3, 4, — can be reduced as in the first embod- 
iment. 

[0094] Although in the third embodiment, there arises 
an overhead in which the setting and managing depart- 
ment is asked about the user information each time an 
ACL is created, resulting in an increase in the traffic, 
such an increase in the traffic is prevented in the first 
and second embodiment. 

(Fourth Embodiment) 

[0095] While in the first to third embodiments, the cre- 
ated access-rights have been expressed in the form of 
an access-right to each user, access-rights are set on a 
user-group basis, each consisting of a single user or plu- 
ral users, in a fourth embodiment of the present inven- 
tion. 

[0096] FIG. 11 is a block diagram showing the func- 
tional configuration of an access-right setting system ac- 
cording to the fourth embodiment of the present inven- 
tion. In FIG. 11, the same parts as those in FIG. 2 are 
indicated by the same reference symbols and explana- 
tion of them will be omitted. Only the parts different from 
those in FIG. 2 will be explained. 
[0097] The access-right setting system has the same 
configuration as that of the first embodiment except that 
the function of the ACL converting section 22' is modi- 
fied. 

[0098] The ACL converting section 22' differs from the 
equivalent in the first embodiment in that it creates such 
an ACL as uses a user-group consisting of a single or 
plural users instead of using user names as authorized 
persons to be set. Although not explained in the first to 
third embodiments, the user information managing sec- 
tion 25 manages not only user-group names but also 
information about which user-group which user belongs 
to. 

[0099] FIG. 1 2 shows an example of an ACL file cre- 
ated by the ACL converting section in the fourth embod- 
iment. As shown in FIG. 12, a user-group name 52 is 
written in the field in which a user name should be put 
in FIG. 6A. 

[0100] A WWW server 13 in the fourth embodiment 
provides an ACL setting function or a user-group man- 
aging function on a user-group basis. 
[0101] The operation of the access-right setting sys- 
tem in the fourth embodiment constructed as described 
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above will be explained. 

[0102] The operation of the fourth embodiment is the 
same as that of the first embodiment except that ACL 
setting is done using user-group names. 
[0103] For example, consider a case where the user 5 
information in the A department 3 is as shown in FIG. 4 
and access pattern #1 of FIG. 3 is set in the content 28a 
on the WWW server 13a in the A department 3. 
[01 04] It is assumed that the user information manag- 
ing section 25 manages the definitions of the following 
user-groups according to the information shown in FIG. 
4: 

"General manager in department A" group = Suzuki 
belongs to 

"Section chief in department A' group = Sato be- 
longs to 

"System manager in department A" group = Taka- 
hashi and Tanaka belong to. 

[0105] Here, a rule that "a target department name 
should be added in front of an abstract user name" is 
employed as a naming rule of user-group names. An- 
other naming rule may be used, provided that informa- 
tion on what naming rule is employed must be shared 
by the ACL converting section 22' and user information 
managing section 25. 

[0106] While in the first embodiment, the ACL con- 
verting section 22 develops an abstract user name in 
the access-right setting pattern into an actual user 
name, the ACL converting section 22' of the fourth em- 
bodiment develops an abstract user name into a user- 
group name according to the naming rule. Specifically, 
the following access-right setting pattern 

general manager = read right 
section chief = read right 

system manager = read right, execute right is con- 
verted into the following ACL 
general manager in the A department = read right 
section chief in the A department = read right 
system manager in the A department = read right, 
execute right. 

[0107] Similarly, when the same access-right setting 
pattern #1 is set in the WWW sever 1 3 in the B depart- 
ment, the access-right setting pattern is converted into 
the following ACL, 

general manager in the B department = read right 
section chief in the B department = read right 
system manager in the B department = read right, 
execute right. 

[01 08] The ACL setting section 1 5 of the computer 1 2 
sets the converted ACL in the content 28a of the WWW 
server 1 3a. 

[0109] The way of accessing the content 28 to which 



the ACL has been set as described above is basically 
the same as in the first embodiment. Only the parts dif- 
fering from the first embodiment will be explained. 
[0110] When the WWW server 13 checks the author- 
ized persons set in the ACL after having completed the 
user authentication, the server 13 verifies which user 
belongs to the user-group because a user-group name 
has been written in the ACL by asking the directory serv- 
er 9. For example, a list with the user names "Takahashi, 
Tanaka" is obtained for the user-group "System manag- 
er in department A." It is verified whether the user name 
(the user attempting to access contents) confirmed as 
a result of user authentication has been included in the 
list of user names obtained here. If it has been included, 
it is verified that the user is an authorized person and 
the user is permitted to access the content 28 according 
to the right set in the ACL. 

[0111] The access-right setting system of the fourth 
embodiment produces not only a similar effect to that of 
the first embodiment but also the following effect. Be- 
cause the access-right setting pattern is developed into 
a user-group, not an actual user, the change of the user 
information due to personnel changes can be coped 
with by just changing the definition of the user-group, 
which eliminates the work of recreating an ACL. 
[0112] While in the fourth embodiment, the method of 
setting an ACL on a user-group basis has been ex- 
plained in connection with the first embodiment, the 
method may be applied similarly to the second and third 
embodiments. 

(Fifth Embodiment) 

[0113] In the first to fourth embodiments, the method 
in which the WWW server 1 3 asks the user information 
managing section 25 of the directory server 9 to check 
an actual user name has been explained in connection 
with the actual access-right setting process (the opera- 
tion after ACL setting). In contrast, in a fifth embodiment 
of the present invention, a method of registering at- 
tribute information (including user names and pass- 
words) to be checked and user-group information (a list 
of users belonging to the user-groups) in the WWW 
server 13 beforehand will be explained. 
[0114] FIG. 13 is a block diagram showing the func- 
tional configuration of an access-right setting system ac- 
cording to the fifth embodiment of the present invention. 
In FIG. 13, the same parts as those in FIG. 2 are indi- 
cated by the same reference symbols and explanation 
of them will be omitted. Only the parts different from 
those in FIG. 2 will be explained. 
[0115] The access-right setting system has the same 
configuration as that of the first embodiment except that 
the user information transmitting section 54 is provided 
in the setting management server 8, the user informa- 
tion setting section 51 is provided in each computer 12, 
and the user information database 53 is provided in the 
WWW server 1 3. The user information database 53 is 
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a mechanism an ordinary WWW server has. 
[0116] The user information transmitting section 54 
acquires the attribute information on the users belong- 
ing to the department specified at the input device 27 
and the user-group information from the user informa- 
tion managing section 25 and transmits the acquire in- 
formation to the user information setting section 51 via 
the network 1. The user information setting section 51 
registers the information received from the user infor- 
mation transmitting section 54 in the user information 
database 53. 

[0117] The operation of the access-right setting sys- 
tem in the fifth embodiment constructed as described 
above will be explained. 

[0118] Since the ACL setting process is the same as 
that in the first embodiment, explanation of it will be omit- 
ted. 

[0119] Using the input device 27 with suitable timing 
(for example, at any time before ACL setting or imme- 
diately after ACL setting), the access-right setter in- 
structs the user information transmitting section 54 to 
transmit the attribute information on the user and user- 
group information the target WWW server needs (for ex- 
ample, a rule that information on the users and user- 
groups belonging to department A should be transmitted 
to the WWW server in department A has been deter- 
mined beforehand. Alternatively, the access-right setter 
has specified the rule). 

[0120] Receiving the instruction, the user information 
transmitting section 54 reads the necessary user at- 
tribute information and user-group information from the 
user information managing section 25 and transmits the 
information to the user information setting section 51 in 
the target department. The user information setting sec- 
tion 51 stores the received information in the user infor- 
mation database 53 in the target WWW server 1 3. 
[0121] Next, the way of accessing the content 2B to 
which an ACL has been set will be explained. 
[0122] When a user attempts to access the content 
28a of the WWW server 1 3a, the WWW server 1 3a re- 
quests the user to enter his or her user name and pass- 
word. When receiving the user name and password, the 
WWW server 1 3a asks the user information database 
53 provided therein about attribute information on the 
user and authenticates the user. 
[0123] The actual user name acquired from the user 
information database 53a is compared with the ACL. 
Thereafter, access control is carried out as in the first 
embodiment. 

[01 24] The access-right setting system of the fifth em- 
bodiment not only produces a similar effect to that in the 
first embodiment but also provides access control by the 
different method from those of the first to fourth embod- 
iments. 

[0125] While in the fifth embodiment, the method of 
acquiring the user attribute information from the user in- 
formation database 53 has been explained in connec- 
tion with the first embodiment, the method may be ap- 



plied similarly to the second to fourth embodiments. To 
do this, the user information transmitting section 54, us- 
er information setting section 51, and user information 
database 53 have to be provided in each of the second 
s to fourth embodiments. 

(Sixth Embodiment) 

[01 28] While in each of the first to fifth embodiments, 
the set 24 of access-right setting patterns has been set 
beforehand, the access-right setting patterns may be 
created, modified, or deleted. This will be explained in 
a sixth embodiment of the present invention. 
[0127] FIG. 14 is a block diagram showing the config- 
uration of an access-right setting pattern editing function 
applied to an access-right setting system according to 
the sixth embodiment of the present invention. In FIG. 
14, the same parts as those in FIGS. 2 to 13 are indi- 
cated by the same reference symbols and explanation 
of them will be omitted. Only the parts different from 
those in FIGS. 2 to 13 will be explained. 
[01 28] The access-right setting system is such that an 
access-right setting pattern management GUI 61 is pro- 
vided in the setting management server 8 of the access- 
right setting system in each of the first to fifth embodi- 
ments. 

[0129] The management GUI 61 is designed to re- 
ceive information from the input device 27 and create, 
modify, and delete an access-right setting pattern on the 
basis of the input information by means of the access- 
right setting pattern managing section 23. 
[0130] The access-right setting system of the sixth 
embodiment constructed described above operates 
similarly to the first to fifth embodiments except for the 
creation, modification, and deletion of access-right set- 
ting patterns. The management GUI 61 operates as fol- 
lows. 

[0131] When information on (or the contents of) a new 
access-right setting pattern is inputted from the input de- 
vice 27 to the management GUI 61 , the GUI 61 adds a 
new pattern to the set 24 of access-right setting pat- 
terns. 

[01 32] The changed contents of the existing access- 
right setting patterns are displayed via the access-right 
setting pattern managing section 23 and management 
GUI 61. Looking at the display, the setter 62 enters the 
changing data. On the basis of the changing input, the 
managing GUI 61 changes the contents of the set 24 of 
access-right setting patterns. 
[01 33] Furthermore, when a delete instruction and the 
specification of the pattern to be deleted are inputted 
from the input device 27, the managing GUI 61 deletes 
the relevant pattern from the set 24 of access-right set- 
ting patterns. 

[0134] The access-right setting system of the sixth 
embodiment not only produces similar effects to those 
of the first to fourth embodiments but also facilitates the 
creation, modification, and deletion of access-right set- 
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ting patterns, because it includes the access-right set- 
ting pattern managing mechanism composed of the 
management GUI 61 , input device 27, and access-right 
setting managing section 23. 
[01 35] The access-right setting patterns may be man- 
aged on a GUI basis or a command basis or in a com- 
bination of them. 

[0136] For example, with the managing GUI 61 and 
input device 27, various ways of data input may be con- 
sidered. For instance, the setter 62 may enter data from 
the keyboard or by clicking the desired object on the dis- 
play screen with the mouse or entering data from the 
keyboard. 

(Seventh Embodiment) 

[0137] In the first to sixth embodiments, a case where 
the access-right setting system manages the contents 
in each department in an in-house LAN system has 
been explained. The access-right setting systems in the 
first to sixth embodiments may be applied to various 
cases where access-rights have to be set to contents. 

1 n a seventh embodiment of the present invention, a sys- 
tem which provides registered users with software and 
contents via the Internet will be explained. 

[0138] FIG. 15 is a block diagram of a network system 
to which an access-right setting system according to the 
seventh embodiment of the present invention is applied. 
In FIG. 15, the same parts as those in FIGS. 2 to 14 are 
indicated by the same reference symbols and explana- 
tion of them will be omitted. Only the parts different from 
those in FIGS. 2 to 14 will be explained. 
[01 39] The network system is such that the computer 
system 101 of a software provider (hereinafter, referred 
to as the software content provider 101) and a large 
number of user terminals 102 are connected to the In- 
ternet 100. 

[0140] In the computer system 101 of the software 
content provider, various types of servers (not shown) 
for connecting with the Internet and a user registering 
section 103 are provided as shown in FIG. 1. Although 
FIG. 1 5 shows a case corresponding to the first embod- 
iment, the seventh embodiment may, of course, be ap- 
plied to any of the second to sixth embodiments. Spe- 
cifically, the computer system 101 of the software con- 
tent provider has the same configuration as that of the 
system in each of the first to sixth embodiments except 
that the user registering section 103 and others are add- 
ed. 

[0141] The user registering section 103 registers us- 
ers requesting registration by mail or via the Internet 1 00 
in the user information 26. The user registering section 
103 may be provided in an independent computer con- 
nected to the LAN in the setting and managing section 

2 or in the directory server 9. 

[0142] After the users registered in the user informa- 
tion 26 have been assigned rights to access the content 
28, they are allowed to access the content 28 registered 



in the WWW server 13 in each of the departments 3, 4, 
- in the range of access-rights assigned to them. The 
accessing is done from the user terminal 102 via the In- 
ternet 100. 

5 [0143] In the seventh embodiment, because informa- 
tion on movies or sports and software contents, includ- 
ing game programs, are provided for users, the depart- 
ments 3, 4, include a sports department, a movie de- 
partment 4, ■». The WWW server 13 in the sports de- 
partment 3 registers sports-related information as con- 
tent 28. The WWW server 13 in the movie department 
4 registers movies as content 28. 
[0144] According to the organization of departments, 
the user information 26 registered in the directory server 
9 is organized into "rank A," "rank B," "rank C", .... not 
into "general manager," "section chief," "system manag- 
er," 

[0145] The ranks are discriminated from each other 
by, for example, rates. A user of higher rank can read 
(see) more contents and exercise a less restricted au- 
thority. The ranks are registered on a department basis. 
[0146] FIG. 16 shows an example of an access-right 
setting pattern group in the seventh embodiment. 
[0147] As shown in FIG. 16, patterns that only the us- 
ers of rank A are allowed to read and patterns that the 
users of rank A, rank B, rank C and rank D are allowed 
to read are prepared as access-right setting patterns. 
Access-rights include a right to only read, such as see- 
ing movies or reading programs, and a right to vote by 
which votes for and against or opinions about the ap- 
preciated contents are allowed to be given. Here, "exe- 
cute right" is set in the WWW server. The application 
side interprets the setting as "vote right," thereby real- 
izing the vote right. 

[0148] FIG. 17 shows an example of user information 
in the sports department. 

[0149] FIG. 18 shows an example of user information 
in the movie department. 

[0150] As described above, users are registered by 
rank on a department basis. 

[0151] Next, the access-right setting system of the 
seventh embodiment constructed as described above 
will be explained. 

[0152] When the user wants to receive content pro- 
viding service, he or she applies for registration via the 
Internet. On the basis of the application information, the 
user registering section 103 asks the user information 
managing section 25 for user registration in the software 
content provider 101. 

[0153] Since the user registration is carried out on a 
department basis, the user applying for registration has 
only to make a request for registration in the department 
related to the desired contents. For example, in FIGS. 
17 and 18, "Kato" has registered in rank A in the sports 
department and in rank B in the movie department. 
Moreover, "Sasaki" has registered only in the movie de- 
partment. 

[0154] Using the access-right setting system, the ac- 
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cess-right setter sets access-rights again in the content 
28 at the service starting date in every month. This en- 
ables the users newly registered to access the content 
28 in the range of their rights from the service starting 
date in that month. 

[0155] When the access-right setting system of the 
fourth embodiment is used, there is no need to set ac- 
cess-rights again to the content 28 and the user 1 02 can 
access the content 28 at the time when the user has 
been registered in the user information 26. 
[01 56] The access-right setting system of the seventh 
embodiment produces similar effects to those of the first 
to sixth embodiment, even when the contents are pro- 
vided for users outside the system. 
[01 57] While in the seventh embodiment, the access- 
right setting system has been applied to a software con- 
tent provider, the present invention may be applied to 
similar various services. 

(Modifications) 

[0158] The present invention is not limited to the 
above embodiments, and may be practiced or embod- 
ied in still other ways without departing from the spirit or 
essential character thereof. Hereinafter, modifications 
will be explained. 

[Modification 1] 

[0159] In the above embodiments, a method of trans- 
mitting and receiving ACL, ACL patterns, and content 
information has not been written. The following trans- 
mitting and receiving methods can be considered. As 
long as the necessary information can be received and 
transmitted correctly, any approach may be used, 

A message communication between distributed ob- 
jects is used which uses Java RMI or ORB (Object 
Request Broker) techniques complying with Java 
RMI or CORBA (Common Object Request Broker 
Architecture). 

A communication between processes which uses 
RPC (Remote Procedure Call) or Socket is used. 
General WWW mechanisms, such as HTTP (Hyper 
Text Transfer Protocol) or CGI (Common Gateway 
Interface), are used. 

An agent holds the necessary information and dis- 
tributes it. 

[Modification 2] 

[0160] While in the above embodiments, an ACL has 
been created by applying the user information to an ac- 
cess-right setting pattern, what is equivalent to an al- 
ready completed ACL may be included as an access- 
right setting pattern. In this case, the ACL converting 
sections 22, 22' transmit the selected access-right set- 
ting pattern as an ACL to the ACL setting section 15. 



[Modification 3] 

[0161] Abstract user names may be mixed with actual 
user names (or user-group names) in a single access- 
5 right setting pattern. In this case, only the abstract user 
names are converted on the basis of the user informa- 
tion. The parts of the actual user names are left as they 
are in the created ACL. 

10 [Modification 4] 

[0162] Although "general manager" and "section 
chief" in a company have been used as abstract user 
names, there is no limit to abstract user names. 

15 

[Modification 5] 

[01 63] In the above embodiments, the contents in the 
WWW server have been written as resources to which 
20 access-rights are to be set. As long as resources on a 
computer allow the setting of access-rights as files on a 
file system or data items on a database, there is no limit 
to resources to which access-rights are to be set. 

25 [Modification 6] 

[0164] While in the above embodiments, the setting 
and managing department 2 for access-rights has been 
set independently, another department, for example, the 
30 a department 3 may also act as the setting and manag- 
ing department 2. 

[Modification 7] 

35 [0165] While in FIGS. 2 to 11, explanation has been 
given using two departments, the A department 3 and 
B department 4, there is no limit to the number of de- 
partments as shown in FIG. 1 . 

40 [Modification B] 

[01 66] A suitable combination of the first embodiment 
and the second or third embodiment or a suitable selec- 
tion of one of the above embodiments makes it possible 

45 to determine whether the conversion of an access-right 
setting pattern into an ACL should be caused in the set- 
ting and managing department 2 or each of the depart- 
ments 3, 4, — to which access-rights are to be set, de- 
pending on the design concept of the system or the load 

so condition. 

[0167] Storage mediums which can store programs 
and be read by a computer may be used in any suitable 
form for the present invention. The storage mediums in- 
clude magnetic disks, floppy disks, hard disks, optical 

55 disks (e.g., CD-ROM, CD-R, or DVD), magneto-optical 
disks (e.g., MO), and semiconductor memories. 
[0168] The OS (operating system) running on the 
computer under the control of the programs installed 



11 



21 



EP 0 992 873 A2 



22 



from a storage medium into the computer or the MW 
(middleware) including database management software 
and network software may execute part of each process 
for realizing the above embodiments. 
[0169] The storage mediums of the present invention 
include not only storage mediums independent of the 
computer but also storage mediums into which the pro- 
grams transmitted via a LAN or the Internet have been 
downloaded or which store such programs temporarily. 
[0170] The number of storage mediums is not limited 
to one. The storage mediums of the present invention 
include a set of storage mediums which carries out the 
processes in the embodiments. That is, the storage me- 
dium may take a suitable configuration. 
[0171] The computer system of the present invention 
may be composed of a single computer or of plural com- 
puters connected to each other through a network and 
execute each process in the embodiments under the 
control of the programs stored in a storage medium. 
[01 72] The computers in the present invention include 
not only personal computers but also arithmetic and log- 
ic units and microcomputers built in information 
processing devices. That is, they include apparatuses, 
instruments, and devices which can realize the function 
of the present invention by means of programs. 



Claims 

1. An access-right setting system for setting right to 
access resources on a computer, characterized by 
comprising: 

an access- right setting pattern storage section 
(24) for storing one or more types of access- 
right setting patterns in which at least an object 
to obtain permission to access said resources 
is written; and 

a selecting section (21 ) for selecting any one of 
said access-right setting patterns to set said 
right to access. 

2. An access-right setting system according to claim 

1, characterized in that said access-right setting 
pattern storage section (24) stores access-right set- 
ting patterns in which said object to obtain the per- 
mission is written in abstract user name. 

3. An access-right setting system according to claim 

2, characterized in that said access-right setting 
pattern storage section (24) stores not only said ob- 
ject but also access-right setting patterns in which 
the contents of the right to access are written. 

4. An access-right setting system according to claim 

3, characterized by further comprising an access 
control list creating section (22) which creates an 
access control list used to set said right to access 



by adapting an actual user name correlated with an 
abstract user name to the abstract user name in the 
access-right setting pattern selected by said select- 
ing section (21). 

5 

5. An access-right setting system according to claim 

4, characterized by further comprising a user infor- 
mation storage section (26) for storing user infor- 
mation including one or more combinations of said 

io actual user names. 

6. An access-right setting system according to claim 

5, characterized by further comprising an access 
control list setting section (15) which is provided on 

is a computer that manages said resources directly 
and sets the access control list created by said ac- 
cess control list creating section (22) for the re- 
sources. 

20 7. An access-right setting system according to claim 

6, characterized by further comprising a resource 
information acquiring section (14) which is provided 
on a computer that directly manages resources to 
which said right to access is to be set and acquires 

25 resource belonging information to create said ac- 
cess control list, wherein 

said selecting section (21) instructs said re- 
source information acquiring section (14) to acquire 
said belonging information and specifies the re- 

30 source from which the belonging information is to 
be acquired as an object to which said right to ac- 
cess is to be set. 

8. An access-right setting system according to claim 
35 7, characterized in that said selecting section (21) 

is provided on a computer different from the com- 
puter that manages said resources directly and the 
two computers exchanges information via a net- 
work. 

40 

9. An access-right setting system according to claim 

7, characterized in that said access control list cre- 
ating section (22) is provided on a computer differ- 
ent from the computer that manages said resources 

45 directly and the two computers exchanges informa- 
tion via a network. 

10. An access-right setting system according to claim 
7, characterized in that said access control list cre- 

50 ating section (22) is provided on the computer that 
manages said resources directly. 

11. An access-right setting system according to claim 
7, characterized in that said user information stor- 

55 age section (26) is provided on a computer different 
from the computer that manages said resources di- 
rectly and the two computers exchanges informa- 
tion via a network. 
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12. An access-right setting system according to claim 
7, characterized in that said user information stor- 
age section (26) is provided on the computer that 
manages said resources directly. 

13. An access-right setting system according to claim 
3, characterized by further comprising an access 
control list creating section (22) which creates an 
access control list used to set said right to access 
by adapting a user-group name corresponding to 
an actual user name correlated with an abstract us- 
er name to the abstract user name in the access- 
right setting pattern selected by said selecting sec- 
tion (21). 

14. An access-right setting system according to claim 

13, characterized by further comprising a user in- 
formation storage section (26) for storing user infor- 
mation including one or more combinations of said 
actual user names, the user information including 
said user-group name as the information deter- 
mined by the combination group name and said ab- 
stract user name, and said user-group name re- 
maining unchanged even when the contents of the 
combination of actual user names are changed. 

15. An access-right setting system according to claim 

14, characterized by further comprising an access 
control list setting section (15) which is provided on 
a computer that manages said resources directly 
and sets the access control list created by said ac- 
cess control list creating section (22) for the re- 
sources. 

16. An access-right setting system according to claim 

15, characterized by further comprising a resource 
information acquiring section (14) which is provided 
on a computer that directly manages resources to 
which said right to access is to be set and acquires 
resource belonging information to create said ac- 
cess control list, wherein 

said selecting section (21) instructs said re- 
source information acquiring section (15) to acquire 
said belonging information and specifies the re- 
source from which the belonging information is to 
be acquired as an object to which said right to ac- 
cess is to be set. 

17. An access-right setting system according to claim 

16, characterized in that said selecting section (21) 
is provided on a computer different from the com- 
puter that manages said resources directly and the 
two computers exchanges information via a net- 
work. 

18. An access-right setting system according to claim 
16, characterized in that said access control list cre- 
ating section (22) is provided on a computer differ- 



ent from the computer that manages said resources 
directly and the two computers exchanges informa- 
tion via a network. 

s 19. An access-right setting system according to claim 
16, characterized in that said access control list cre- 
ating section (22) is provided on the computer that 
manages said resources directly. 

10 20. An access-right setting system according to claim 
16, characterized in that said user information stor- 
age section (26) is provided on a computer different 
from the computer that manages said resources di- 
rectly and the two computers exchanges informa- 

15 tion via a network. 

21 . An access-right setting system according to claim 
16, characterized in that said user information stor- 
age section (26) is provided on the computer that 

20 manages said resources directly. 

22. A computer program stored on a computer-reada- 
ble medium used to control an access-right setting 
system for setting right to access resources on a 

25 computer, the computer program characterized by 
comprising: 

a code of access-right setting pattern managing 
means (23) for causing a storage unit to store 
30 one or more types of access-right setting pat- 

terns in which at least an object to obtain per- 
mission to access said resources is written; and 
a code of selecting means (21 ) for causing the 
access-right setting pattern managing means 
35 (23) to select any one of said access-right set- 

ting patterns to set said right to access. 

23. A computer program according to claim 22, charac- 
terized in that said access-right setting pattern man- 

40 aging means (23) causes a storage unit to store ac- 
cess-right setting patterns in which said object to 
obtain the permission is written in abstract user 
name. 

45 24. A computer program according to claim 23, charac- 
terized in that said access-right setting pattern man- 
aging means (23) causes the storage unit to store 
not only said object but also access-right setting 
patterns in which the contents of the right to access 
50 are written. 

25. A computer program according to claim 24, charac- 
terized by further comprising a code of access con- 
trol list creating means (22) which creates an ac- 
55 cess control list used to set said right to access by 
adapting an actual user name correlated with an ab- 
stract user name to the abstract user name in the 
access-right setting pattern selected by said Select- 
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ing section (21). 

26. A computer program according to claim 25, charac- 
terized by further comprising a code of user infor- 
mation storage managing means (25) for causing a 5 
storage unit to store user information including one 

or more combinations of said actual user names. 

27. A computer program according to claim 26, charac- 
terized by further comprising a code of access con- io 
trol list setting means (15) sets the access control 

list created by said access control list creating 
means (22) for the resources. 

28. A computer program according to claim 27, charac- 15 
terized by further comprising a code of resource in- 
formation acquiring means (14) acquires resource 
belonging information to create said access control 

list, wherein 

said selecting section (21) instructs said re- 20 
source information acquiring means (14) to acquire 
said belonging information and specifies the re- 
source from which the belonging information is to 
be acquired as an object to which said right to ac- 
. cess is to be set. 2s 

29. A computer program according to claim 24, charac- 
terized by further comprising a code of access con- 
trol list creating means (22) which creates an ac- 
cess control list used to set said right to access by 30 
adapting a user-group name corresponding to an 
actual user name correlated with an abstract user 
name to the abstract user name in the access-right 
setting pattern selected by said selecting means 
(21). 35 

30. A computer program according to claim 29, charac- 
terized by further comprising a code of user infor- 
mation managing means (25) for causing a storage 
unit to store user information including one or more 40 
combinations of said actual user names, the user 
information including said user-group name as the 
information determined by the combination group 
name and said abstract user name, and said user- 
group name remaining unchanged even when the 45 
contents of the combination of actual user names 
are changed. 

31 . A computer program according to claim 30, charac- 
terized by further comprising a code of access con- so 
trol list setting means (15) sets the access control 

list created by said access control list creating 
means (22) for the resources. 

32. A computer program according to claim 31 , charac- 55 
terized by further comprising a code of resource in- 
formation acquiring means acquires resource be- 
longing information to create said access control 



list, wherein 

said selecting means (21) instructs said re- 
source information acquiring means (14) to acquire 
said belonging information and specifies the re- 
source from which the belonging information is to 
be acquired as an object to which said right to ac- 
cess is to be set. 
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ACCESS- RIGHT 
SETTING PATTERN #1: 


GENERAL MANAGER= READ RIGHT, 

SECTION CHIEF= READ RIGHT i 

SYSTEM MANAGER= READ RIGHT, EXECUTE 


ACCESS- RIGHT 
SETTING PATTERN #2: 


GENERAL MANAGER= READ RIGHT, EXECUTE 

RIGHT, SECTION CHIEF= READ RIGHT, EXECUTE RIGHT 

ORDINARY MEMBERS= REAF RIGHT \ 
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EXAMPLE OF ACL FILE (XXX.acI) 
path= 7opt/ www /docs/ file1.html" 
allow (read, wrute). 

user= "yamada, tanaka" 
path= '/opt /www /docs/ filel.html" 
allow ( ) 

user= ( ) 




FIG.6A 



TARGET PATH=0000 
SUZUKI= READ RIGHT 
SATO= READ RIGHT 

TAKAHASHI= READ RIGHT, EXECUTE RIGHT 
TANAKA= READ RIGHT, EXECUTE RIGHT 



FIG.6B 



TARGET PATH=0000 
NAKAMURA= READ RIGHT 
KATO= READ RIGHT, EXECUTE RIGHT 
SAITO= READ RIGHT, EXECUTE RIGHT 
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EXAMPLE OF ACL FILE (XXX.acl) 
path= 7opt / www /docs/ file1.html" 
allow (read, wrute) ^ — 52 

user= "USER GROUP NAME" 
path= '/opt / www / docs / file 1 .html" 
allow ( ) 

user= ( ) 
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ACCESS- RIGHT 
SETTING PATTERN #1: 


RANK A= READ RIGHT, VOTE RIGHT 


ACCESS- RIGHT 
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RANK B= READ RIGHT 
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